Unconditional security proof of long-distance continuous-variable quantum key distribution with discrete modulation

HAL Id: hal-00459177

https://hal.archives-ouvertes.fr/hal-00459177

HAL is a multi-disciplinary open access archive for the deposit and dissemination of sci-entific research documents, whether they are pub-lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.

continuous-variable quantum key distribution with

discrete modulation

Anthony Leverrier, Philippe Grangier

To cite this version:

Anthony Leverrier, Philippe Grangier. Unconditional security proof of long-distance continuous-variable quantum key distribution with discrete modulation. Physical Review Letters, American Physical Society, 2009, 102 (18), pp.180504. �10.1103/PhysRevLett.102.180504�. �hal-00459177�

Unconditional Security Proof of Long-Distance Continuous-Variable Quantum Key Distribution

with Discrete Modulation

Anthony Leverrier

Institut Telecom/Telecom ParisTech, CNRS LTCI, 46, rue Barrault, 75634 Paris Cedex 13, France

Philippe Grangier

Laboratoire Charles Fabry, Institut d’Optique, CNRS, Universite´ Paris-Sud, Campus Polytechnique, RD 128, 91127 Palaiseau Cedex, France

(Received 22 December 2008; published 6 May 2009)

We present a continuous-variable quantum key distribution protocol combining a discrete modulation and reverse reconciliation. This protocol is proven unconditionally secure and allows the distribution of secret keys over long distances, thanks to a reverse reconciliation scheme efficient at very low signal-to-noise ratio.

DOI:10.1103/PhysRevLett.102.180504 PACS numbers: 03.67.Dd, 42.50.
p, 89.70.
a

The first practical application of quantum information theory is certainly quantum key distribution (QKD) [1], which allows two distant parties to communicate with absolute privacy, even in the presence of an eavesdropper. Two families of QKD protocols coexist today, relying either on photon counting techniques or homodyne detec-tion, which correspond to discrete and continuous-variable protocols, respectively. The better efficiency of homodyne detection over single photon counting at the telecom wave-length has stimulated the study of continuous-variable protocols in the last few years [2,3]. However, despite its technological advantages, continuous-variable QKD (CVQKD) is still not considered as a true alternative to discrete QKD, mostly because it seems restricted only to short distances. The main reason for that lies in the clas-sical postprocessing of the data shared by Alice and Bob who need to construct a key from continuous random values, which is a task far more complicated than its discrete counterpart.

In this Letter, we introduce a specific CVQKD scheme, which exhibits two specific related advantages: first, it allows us to simplify significantly both the modulation scheme and the key extraction task, and second, it makes it possible to distill secret keys over much longer distances. Continuous-variable protocols have recently been shown to be unconditionally secure, that is, secure against arbitrary attacks [4]. In particular, collective attacks are asymptotically optimal, meaning that the theoretical secret key rate K obtained using one-way (reverse) reconciliation is bounded below by:

K  Iðx:yÞ
Sðy:EÞ  Kth; (1)

where x, y represent the classical data of Alice and Bob, and E is Eve’s quantum state. Here Iðx:yÞ refers to the Shannon mutual information [5] between classical random values x and y, and Sðy:EÞ is the quantum mutual informa-tion [6] between y and the quantum state E. The reason for using two different measures of information is that Eve has

no restriction on her capabilities (other than the ones imposed by quantum mechanics), while Alice and Bob must be able to extract a key with current technology. This secret key rate is valid for reverse reconciliation [3]: the final key is extracted from Bob’s data and Bob sends some side information to Alice on the authenticated clas-sical channel to help her correct her errors. In addition, one should note that Kthcorresponds to a scenario where Alice

and Bob could perform perfect error correction, which is never the case in practice. For this reason, the key rate must be modified in the following way [7,8]:

Kreal¼
Iðx:yÞ
Sðy:EÞ; (2)

where
is the so-called reconciliation efficiency. The term
Iðx:yÞ simply corresponds to the amount of information Alice and Bob have been able to extract through reconcili-ation. The second term, Sðy:EÞ, is bounded from the cor-relation between Alice and Bob’s data, using a Heisenberg-type inequality.

Whereas the reconciliation efficiency is not usually taken into account to estimate asymptotic bounds, we must include it in our analysis because it is currently the limiting factor for the range of CVQKD with Gaussian modulation. In [8], it was argued that working at low signal-to-noise ratio (SNR) increases the range of the pro-tocol. Unfortunately, maintaining a good reconciliation efficiency at very low SNR is even more difficult to achieve. This point is exactly the limitation that the proto-col presented in this Letter manages to overcome, hence allowing QKD over longer distances.

This Letter is organized as follows: after detailing the limitations of the Gaussian modulation, we present our new four-state protocol as well as its unconditional security proof. Then we describe the reconciliation step and show that its efficiency remains remarkably high, even at very low SNR. Finally, we show the expected performances of the protocol and discuss some perspectives.

Gaussian vs discrete modulation.—Most CVQKD pro-tocols use a Gaussian modulation since it is the one max-imizing the mutual information between Alice and Bob over a Gaussian channel. In such a protocol, Alice draws two random values qA, pA with a Gaussian distribution

N ð0; VAÞ and sends a coherent state jqAþ ipAi to Bob.

The main problem of this modulation arises when one wants to perform QKD over long distances. In this case, there are two possibilities to fight the noise induced by the losses in the channel: either increase the variance of the modulation so that the SNR remains reasonably high, or work at low SNR. Unfortunately both approaches tend to fail over a few tens of kilometers.

Working at high SNR requires us to achieve a very good reconciliation efficiency, otherwise the secret key rate goes to zero [7,8]. Capacity-achieving error correcting codes are therefore required for this task. Unfortunately, even with the best codes presently available, such as low-density parity-check (LDPC) codes [9] or turbo codes [10], one cannot expect to extend the range of the protocol well over 30 kilometers [7].

Working at low SNR relieves a little bit the need for capacity-achieving codes, but reasonably good low-rate codes are still hard to combine with the Gaussian modula-tion. Some interesting algebraic properties of R8 can be useful in this situation, and help with increasing the achiev-able distance to over 50 kilometers [8].

At the present time both of these approaches seem to have been pushed at their maximum using the state-of-the-art channel coding techniques, and breaking this 50 kilo-meters limit seems unlikely with a Gaussian modulation.

One should emphasize the following point: while a Gaussian modulation performs much better than a binary modulation at high SNR (simply because a binary modu-lation cannot send more than one bit of information per signal), it is not the case for low SNR. Adding to this fact that a binary modulation allows for a much better recon-ciliation efficiency at low SNR, we infer that the modula-tion required to achieve long distances is not Gaussian. Examples of binary (or quaternary depending on the num-ber of quadratures considered) modulation have been pro-posed in the past [11,12], but were often combined with a postselection procedure [13], and are not known to be unconditionally secure.

The four-state protocol.—The protocol we propose runs as follows. Alice sends randomly one of the four coherent states: jeið2kþ1Þ=4_{i with k 2 f0; 1; 2; 3g. The amplitude }

(taken as a real number) is chosen so as to maximize the secret key rate one can expect from the expected experi-mental parameters (transmission of the line and excess noise). Bob measures randomly one of the quadratures in the case of the homodyne protocol [14] and gets the result y. The sign of y encodes the bit of the raw key while Bob reveals the absolute value jyj to Alice through the classical authenticated (but not secure) channel. At this point, Alice and Bob share correlated strings of bits. In order to help

Alice correct her data, Bob sends some side information over the classical channel, typically the syndrome of his string relative to a binary code they agreed on beforehand. From a classical communication perspective, the error correction (reconciliation) is then a problem of channel coding for the so-called BIAWGN channel, where a binary modulation is sent over an Additive White Gaussian Noise channel, and for which there exist very good codes, even for extremely low SNR.

The present protocol can thus be seen as a hybrid between the Gaussian modulation protocol, with which it shares the physical implementation as well as the security proofs based on the optimality of Gaussian states, and protocols combining a discrete modulation with postselec-tion, for which the error correction is substantially easier to perform, but whose unconditional security has not yet been established.

Let us now prove that the four-state protocol is un-conditionally secure. First, it is enough to prove the se-curity against collective attacks as they are the most power-ful attacks in the asymptotic limit [4]. Then, as usual, the security is established by considering the equiva-lent entanglement-based version of the protocol. The state sent to Bob in the prepare and measure scheme is a mix-ture of four coherent states:  ¼14 P3k¼0jkihkj with

k ¼  expðið2k þ 1Þ=4Þ. The entanglement-based

ver-sion uses a purification j
i of this state such that:  ¼ trAðj
ih
jÞ. This state  can be diagonalized as

 ¼ 0j0ih0jþ1j1ih1jþ2j2ih2jþ3j3ih3j

where 0;2¼12e
 2 ½coshð2_{Þ  cosð}2_Þ, 1;3¼ 1 2e
 2

½sinhð2_{Þ  sinð}2_{Þ and}

jki ¼ e
2₌₂ ffiffiffiffiffiffi k p X1 n¼0 4nþk ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi ð4n þ kÞ! p ð
1Þn_{j4n þ ki}

for k 2 f0; 1; 2; 3g. Therefore, a particular purification of  obtained by the Schmidt decomposition is j
i ¼ P₃

k¼0

ffiffiffiffiffiffi k

p

jkijki which can be rewritten as j
i ¼ 1

2

P₃

k¼0jckijki where the states

j_cki ¼1 2

X3 m¼0

e
ið1þ2kÞmð=4Þjmi

are orthogonal non-Gaussian states.

The entanglement-based version of the four-state proto-col can be described as follows. Alice prepares the en-tangled state j
i and performs the projective measurement fj_c0ih_c0j; jc1ihc1j; jc2ihc2j; jc3ihc3jg on her half thus

preparing the coherent state jki when her measurement

gives the result k. This state is sent through the quantum channel to Bob who measures either one of the quadratures with a homodyne detection.

In order to prove the security of the protocol, we use the fact that Sðy:EÞ, the Holevo information between Eve and Bob’s classical variable, is maximized when then the state AB shared by Alice and Bob is Gaussian [15]. Therefore,

Sðy:EÞ can be bounded from above by a function of the 180504-2

covariance matrix  of AB [7]. For a quantum channel

characterized by its transmission T and excess noise ,  is given by:  ¼ ðVAþ 1Þ12 ffiffiffiffi T p Zz ffiffiffiffi T p Zz ðTVAþ 1 þ TÞ12 ! ;

where VA is the variance of Alice’s modulation in the

prepare and measure scheme. This covariance matrix has the same form as in the Gaussian modulation scheme where Z would be replaced by the correlation of a two-mode squeezed vacuum ZEPR¼

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi VA2þ 2VA

q

. The correla-tion Z for the state j
i does not take such a simple mathematical form but turns out to be almost equal to ZEPR for small variances (see Fig. 1). Hence, for a

suffi-ciently low modulation variance, the bound on Sðy:EÞ is almost identical to the one obtained for a Gaussian modu-lation. However, the efficient reconciliation
available at low SNR (see Fig.1) allows us to extract more information, and in fine, to distill a key in conditions where the Gaussian modulation protocol is ineffective.

Realistic reconciliation.—The main advantage of a bi-nary modulation compared to a Gaussian modulation is that one can find binary codes allowing high reconciliation efficiency, e.g., 80%, even with a SNR close to 0. This is quite remarkable since all practical reconciliation schemes for a Gaussian modulation [8,18] see their efficiency drop to zero as the SNR becomes too low (see Fig.1). In order to achieve an efficient reconciliation at low SNR, one needs good low-rate codes. These can be constructed rather easily with a concatenation of a capacity-achieving code and a repetition code that we describe now.

At the end of the quantum exchange, Alice and Bob share two correlated vectors x ¼ ðx1; . . . ; xNÞ (with xi¼

=pffiffiffi2) and y ¼ ðy1; . . . ; yNÞ. We will use the

concate-nation of a capacity-achieving code C of length m and a repetition code of length k, assuming that N ¼ mk. Bob starts by defining the vector Y ¼ ðY1; . . . ; YmÞ where Yi¼

sgnðykði
1Þþ1Þ for i 2 f1; . . . ; mg. The goal of the

reconcili-ation is for Alice to be able to compute the vector Y. To do this, Bob sends some side information: the vector fjy1j; . . . ; jyNjg, the m vectors fð1; sgnðykði
1Þþ1

ykði
1Þþ2Þ; . . . ; sgnðykði
1Þþ1 ykiÞg, and the syndrome of

Y for the code C. This scheme allows Alice and Bob to extract m bits out of their N ¼ km data.

This repetition scheme is a simple way to build a good code of rate R=k out of a code of rate R. This construction

is not optimal compared to using a very good error cor-recting code at the considered signal-to-noise ratio but exhibits some interesting features. First, designing very good codes at low SNR is not easy, and has not been intensively studied so far, mainly because the telecom industry does not operate in this regime: this would not be economical since an important number of physical signals would be required to send one information bit. The problem is very different in QKD, where quantum noise is an advantage rather than a drawback. A second advantage of this repetition scheme lies in its simplicity. As we mentioned earlier, the main bottleneck of CVQKD is the reconciliation: it was limiting both the range and the rate of the protocol. In particular, the rate is limited by the complexity of decoding LDPC codes, which is roughly proportional to the size of the code considered (in fact OðN logNÞ). If one uses a repetition scheme of parameter k, then the length of the LDPC code becomes m ¼ N=k allowing a speedup of a factor k. The speed of the recon-ciliation is not proportional to the number of signals ex-changed by Alice and Bob anymore, but to the mutual information they share, which is a major improvement for noisy channels, i.e., long distance. Finally, the penalty in terms of reconciliation efficiency imposed by using this scheme instead of a dedicated low-rate error correcting code is actually quite small. Roughly speaking, a repetition code of length k allows us to decode at a SNR k times smaller. It is indeed easy to show that the efficiency
Rðs=kÞ obtained at a SNR s=k with such a repetition

code is related to the efficiency
LDPCðsÞ available at

SNR s through
Rðs=kÞ ¼

log2ð1þsÞ

klog2ð1þs=kÞ
LDPCðsÞ, that is,

Rðs=kÞ  ð1
2sÞ
LDPCðsÞ when s is small enough. For

instance, there exist good LDPC codes of rate 1=10 decod-ing at SNR 0.17 [19], meaning that
LDPCð0:17Þ  88%

and 8k  1,
Rð0:17k Þ  80%. By using different codes,

one can have a reconciliation efficiency greater than 80% for all SNRs below 1.

The reconciliation scheme presented above performs indeed much better at low SNR (lower that 1) than recon-ciliation schemes used for a Gaussian modulation. This behavior is inverted for higher SNR as a binary modulation is unable to send more that one bit per channel use. As a consequence, the four-state protocol is particularly rele-vant in a long distance scenario, whereas the Gaussian modulation protocol is still better suited to distribute high key rate at short distances.

0.2 0.4 0.6 0.8 1.0 VA 0.5 1.0 1.5 Z 0 1 2 3 4 SNR 0.5 0.6 0.7 0.8 0.9 1.0 β

FIG. 1 (color online). Left: correlation ZEPR of an EPR pair (solid line) and

correlation Z of state j
i (dashed line) as a function of the modulation variance. Right: practical reconciliation efficiency for a binary modulation (dashed line) and for a Gaussian modulation (solid line) [18].

Results and perspectives.—The theoretical perfor-mances of the four-state protocol are displayed in Fig. 2. The quantum channel is characterized by its transmission T ¼ 10
0:02d where is the quantum efficiency of the homodyne detection and d is the distance between Alice and Bob, and its excess noise , that is the noise in excess compared to the shot noise. It should be noted that these performances are comparable with discrete-variable proto-cols, and are much better than previous CVQKD schemes. Whereas Alice usually sends coherent states with a few photons per pulse (between 3 and 10) in the Gaussian modulation protocol, here, the optimal number of photons per pulse typically ranges from 0.2 to 1. Therefore, the similitudes with discrete-variable QKD are important: the information is encoded onto low amplitude coherent states with generally less than 1 photon per pulse. The main difference is that homodyne detection replaces photon counting. In our protocol, however, the error rate is not upper bounded (and can be as close as 0.5 as the reconcili-ation efficiency allows). This sounds in disagreement with security proofs for discrete-variable protocols that impose a maximum admissible quantum bit error rate (QBER). The reason for which this is nonetheless correct is that the error rate in our case in induced by both the noise added by Eve as well as the losses. This is in fact equivalent to a BB84 protocol where Bob would give a random value to each pulse he did not detect. In this case, the QBER is arbitrarily high, but the security is still insured. In some sense, the main difference between the two schemes is that the vacuum noise is processed in two very different ways: whereas it creates ‘‘deletion errors’’ (which are ignored) in the photon counting scheme, it produces ‘‘real errors’’ (which have to be corrected) in the continuous-variable scheme. But in both cases, these errors due to vacuum noise cannot be exploited by anybody, neither by the legitimate parties, nor by Eve.

As a conclusion, we presented a new unconditionally secure continuous-variable QKD protocol based on a dis-crete modulation. The use of good error correcting codes at low SNR allows us to achieve long distances, which was

impossible with a Gaussian modulation. Further work will include analysis of the finite-key effects [20], as well as the implementation of the present protocol.

We thank Joseph Boutros, Nicolas Cerf and Norbert Lu¨tkenhaus for helpful discussions. We acknowledge sup-port from the European Union under project SECOQC (IST-2002-506813), and from Agence Nationale de la Recherche under projects PROSPIQ (ANR-06-NANO-041-05) and SEQURE (ANR-07-SESU-011-01).

[1] V. Scarani, H. Bechmann-Pasquinucci, N. Cerf, M. Dusek, N. Lutkenhaus, and M. Peev, arXiv:0802.4155 [Rev. Mod. Phys. (to be published)].

[2] T. C. Ralph, Phys. Rev. A 61, 010303(R) (1999). [3] F. Grosshans, G. V. Assche, J. Wenger, R. Brouri, N. J.

Cerf, and P. Grangier, Nature (London) 421, 238 (2003). [4] R. Renner and J. I. Cirac, Phys. Rev. Lett. 102, 110504

(2009).

[5] T. M. Cover and J. A. Thomas, Elements of Information Theory (Wiley-Interscience, New York, 1991).

[6] M. A. Nielsen and I. L. Chuang, Quantum Information and Quantum Computation (Cambridge University Press, Cambridge, England, 2000).

[7] J. Lodewyck, M. Bloch, R. Garcı´a-Patro´n, S. Fossier, E. Karpov, E. Diamanti, T. Debuisschert, N. J. Cerf, R. Tualle-Brouri, and S. W. McLaughlin et al., Phys. Rev. A 76, 042305 (2007).

[8] A. Leverrier, R. Alle´aume, J. Boutros, G. Ze´mor, and P. Grangier, Phys. Rev. A 77, 042325 (2008).

[9] T. J. Richardson, M. A. Shokrollahi, and R. L. Urbanke, IEEE Trans. Inf. Theory 47, 619 (2001).

[10] C. Berrou, A. Glavieux, and P. Thitimajshima, in Proceedings of the IEEE International Conference on Communications (IEEE, New York, 1993), Vol.2, pp. 1064–1070.

[11] T. Hirano, H. Yamanaka, M. Ashikaga, T. Konishi, and R. Namiki, Phys. Rev. A 68, 042331 (2003).

[12] R. Namiki and T. Hirano, Phys. Rev. A 74, 032302 (2006). [13] C. Silberhorn, T. C. Ralph, N. Lu¨tkenhaus, and G. Leuchs,

Phys. Rev. Lett. 89, 167901 (2002).

[14] Alternatively, Bob can measure simultaneously both quad-ratures with a heterodyne detection, and the security proof will proceed along the same lines.

[15] This can be proved by applying the reasoning presented in [16] to the quantity Sðy:EÞ instead of Kth¼ Iðx:yÞ

Sðy:EÞ, see also [17].

[16] R. Garcia-Patron and N. J. Cerf, Phys. Rev. Lett. 97, 190503 (2006).

[17] R. Garcia-Patron, Ph.D. thesis, Universite´ Libre de Bruxelles, 2007.

[18] M. Bloch, A. Thangaraj, S. W. McLaughlin, and J.-M. Merolla, in Proceedings of the IEEE Information Theory Workshop, Punta del Este, Uruguay (IEEE, New York, 2006).

[19] T. Richardson and R. Urbanke, Workshop honoring Prof. Bob McEliece on his 60th birthday pp. 24–25 (2002). [20] V. Scarani and R. Renner, Phys. Rev. Lett. 100, 200501

(2008). 0 50 100 150 200 250 d 10−6 10−5 10−4 0.001 0.01 0.1 K

FIG. 2 (color online). Secret key rate as a function of the distance for different values of the excess noise: from top to bottom,  ¼ 0:002, 0.004, 0.006, 0.008, 0.01. The quantum efficiency of Bob’s detection is ¼ 0:6.